BSides Knoxville 2018 (Second Track, KEC, afternoon sessions)

so this morning burp is gonna be hard to see but I wanted to make the font big enough that you guys could see so this morning I captured some traffic and so you can see here lien plum let go Akamai that looks good mo pub app flyer crashlytics it's more Akamai New Relic amplitude it's a lot of domains for one app right it's a lot it you know so let's look at let's see crashlytics let's see what that looks like so this is again this is HTTP traffic I don't even know this is so big I'm not even sure if I can there it is okay so this is what the request looks like so a post

to crashlytics it's so big you guys can't even see anything it's all the way down here and I can't pull it up any further so what you can't see is see all this question marks and all that junk so this is a gzipped deflated blob so what I would do is I would copy all of that send it to decoder or utilize the tool so the one thing about the the deflator tool or I'm sorry inflator tool decompressor in burp is because this content type is mixed it's actually a forum post and it's not all a gzip blob unfortunately it wasn't able to to inflate this but you can just copy it and send it to decoder and then with

decoder you can click the gzip or you can send it somewhere else so let me just give you an idea of the amount of data that it actually sent out

so these are this is this is this is to New Relic these are all of the URLs that were processed in like a 30 second time period so you can see here again branch calm amplitude low pub apps flyer crashlytics amplitude again Facebook for graph and whatnot and you can see all the path parameters any URL parameters etc whether it was poster good etc tons and tons of stuff and then you can see here what I was doing while those were being sent right so this was I was looking at the display name for the let go notifications view controller then I was doing the sell navigation controller then I was do it like literally just one

after another after another again this is like 30 seconds of traffic tons and tons of communication going out and it's all this so like yeah that's you know URLs and controller class names like that's you know some stuff not not incredibly concerning uh you know the version of iOS whether it was native app or hybrid sorry make you dizzy here for a second there's some other other you know identifiable information but nothing too crazy so let's go back here show you one more when I have a time I got five minutes I kind of shot myself in the foot I made the the font size bigger so you could all see it and then the resolution also got bigger so it's a

bit tough to see basically three of those let me go back here I'll tell you the names again not shaming app flyer branch and crashlytics I believe all received direct GPS coordinates for where I was this morning and I don't mean like yeah Kevin was kind of in this area like bumble does right they say well he's kind of in this area you don't know exactly where he is no I'm talking like this is the hotel that I was in and this is where it said I was like exact location of where I was was sent to at least three different providers my JWT session for let's go was sent to one of those so again well you think okay

well we have agreements with them they're not leaking data they might not be monetizing that data etc but what are the security controls for logging into their portals right because that's their that's their servers not my servers do they have default credentials what's their data retention policy are they gdpr compliant right things start to snowball and again this is just 30 seconds of app traffic for one little app but I happened to find and now my GPS coordinates for you know this morning were sprayed across at least four different domains within a matter of 30 seconds right this is some concerning stuff and I wish I could show you more unfortunately the resolution is not set up for it for the best but a

couple more minutes here I'm gonna blog follow-up coming out soon on vision comm this is gonna do some analytics on the analytics which is a little meta I know but basically it's gonna break down like how many apps were sharing this amount of data how many apps for sharing that amount of data etc I'm also going down the route for Android of utilizing the cert Tapioca tool has anyone heard of cert tapioca so I happen live in Pittsburgh so I have a little bit of cert ties for the software engineering Institute search has a tool that they develop which is basically built on open open box open VM that basically spins up ephemeral Android V ends and you can do

mi TM proxy on them and then it's Harrison down and then goes to the next app right so it's basically an ephemeral environment for spinning up a bunch of Android devices looking at app traffic and going the concern there again is it's hard to know how much data is leaking if you don't know to search for it right when I see my social security number leak somewhere it's extremely scary to me if I see Brian social security number it looks like a telephone number like I don't know right it doesn't mean anything to me it's just random noise so it's a little tough to find all the Reg X's it's a little tough to find all of

the data that could be concerning that's why it's a little bit of a manual process so trying to automate and at the end of that I'm still gonna keep flagging these issues when I see them for my clients I'm still gonna continue to look for them the fact of the matter is most of these are out of scope for bug bounties right it's not they're their domain when you go out to the bug bounty and they say hey you can hit all of Jett comms domains well crashlytics isn't on jet comm so they don't you know you can report it to them but they will probably say Amen that's out of scope stay in your sandbox

right so I'm gonna keep going I'm gonna keep flagging I'm gonna keep going on and the last thing I have to say is we need more people look at this because it is intensive I don't know what data is important to you without knowing your data I can keep doing it on my own but I'm one guy or were one consulting firm so we need more folks looking at this we need more folks looking and utilizing similar tools I mentioned I will also include the tools in the follow-up blog and everyone can have my slides and if you have any questions ping me thoughts questions concerns how to so I'm happy to help but only for legal passive

activities I cannot give you permission to actively say in any traffic to any domain you don't have a rules of engagement for so thank you - besides knoxville staff volunteers you all of you come and sitting with me it might be raining outside but you came in on your freewill I know family you guys are lucky your fee size is on a Friday a lot of these sites are on Saturdays so you got to miss a day work maybe where [Laughter] so I got a couple minutes open up for questions thoughts concerns yes sir

that's a good question that I didn't include my slides thank you so his question was how can we like sinkhole the traffic right what can we run on the phone to say like don't send any data to fabric and that's that's a great question so there are Android has a few different firewall api's we can do reg X's in different domains hopefully domain fronting is on its way out so that'll hopefully you know keep that away but yeah they're definitely tools in android iOS the best tool and my coworker tell you I'm gonna have our logo tattooed on my chest because I use them so often it's surged proxy it's n s surge it's a little pricey for a proxy

tool it's 50 bucks on the App Store or 50 to 74 for a client C but in the grand scheme of things 50 70 bucks for a security tool is nothing it's just the most I've ever spent on one happened in the App Store so it's all relative but yeah so there are a couple and a surge one is what a lot of Easterners use to get around the great firewall rules so they basically they although sent a bunch stuff to proxies and the sync whole bunch of stuff and it's really really cool if you want to demo that later buy me a drink and I'll show you it's it's a pretty cool one so yeah

that anyone else yes sir yeah yeah so the question is sir to repeat for the back is what if what if these companies start to kind of lay low depending on some indications whether it's running in a VM or they start like blackballing me specifically like okay this is a Kevin Cody guy who's disparaging I don't let him use our app right and that's what I've actually seen this not so much for like discouraging researchers but in the threat world there's actually firms out there that will look to see if an app is running in a VM and if it is your threat profile goes up and you might not be able to say make a payment or something

like that there's a there's there's commercial tools out there they do that so that's a great question I'm not sure that I have a big enough profile or target on my back and I haven't automated it well enough to worry about it yet but yeah absolutely yeah so like just like malware right if it's running on a VM if it's running on a single core processor which not very many people have single core processors are there anymore there's ways of trying to identify researchers versus people who are actually using devices and accessing and obviously they have all that information because we saw in the dashboard right so great question anyone else awesome you guys are awesome thank

you so much love Knoxville [Applause]

[Music]

[Music]

is it picking up awesome alright so those of you who have worked with me or been a DC a65 back before I moved away you know who i am i'm adam compton those of you who don't know who I am I am the weirdo and the overalls who's presenting at besides not so every year so my name is Adam Compton today we're gonna be talking a little bit originally I'd not working to see if that's working but uh originally I was going to be giving a talk on a new tool I was gonna be creating I haven't got quite to the point where I've got the tool ready for demo yet that's fine I still got to use the rest

of my slides and I've beat them up for everybody it's more of aid how do you do OSINT what is OSINT a primer for OSINT just stuff like that just the different techniques get a good variety of information out there for everybody predominately for pen testers but can be used for by anybody and you're not working oh well there we go that works then so first of all Who am I short answer I'm a father husband son brother standard stuff that everybody well not everybody unless yeah not everybody's a brother or son or whatever but still I'm a programmer pen tester researcher I've been in the InfoSec field since before 2000 so I have 18

plus years in here most of that time has been doing penetration testing or something very akin to that Red Team Blue Team something like that I've done some software development in there I've done some barbecue researching there I've done a bunch of other things but I've been involved in information security for well over 18 years at this point and yes of course at the bottom I'm a hillbilly I actually get to claim I am I was born and raised in the mountains of Appalachia up in Pike County Kentucky so close enough for me to say I'm a hillbilly parents are both here willies and so got that now today's talk is gonna be on us and I like to

read this this is a quote from one of the best books I've have on best recent books I've collected on OSINT open source intelligence gathering store that is by individual named Michael basil he here's a very interesting background he does a lot of stuff with information gathering he's done sort of private investigator stuff he's done all kind of stuff out there he's very well very knowledgeable on it and I liked his a little description photo Cynthia's here that is bare basics what is Oh scent o scent is just the ability to gather information from public sources now what do you do with that information or what are those open sources or why are you doing that that

can vary based on a person stuff like that and we'll talk about that a little bit in a minute but at its basic core o scent is just going out and gathering data it can be I don't know user names it can be what somebody looks like you can be going to Google Maps and just do an aerial picture of what a location looks like all of this is just information that's out there for public consumption now with that though you have to wonder sometimes is it legal first and foremost I'm not a lawyer I don't never profess to be a lawyer and I'm not married to a lawyer or anything like that but in the

shortest answer that I feel comfortable saying is that most cases yes now there are always going to be those edge cases if you can just go to somebody's web page and it's written right out there on the ww-whatever comm and it's there that's fine do a DNS lookup fine stuff like that no problem at all now if you're having to do something like go to a website and you see some piece of information and then there's a login portal to get the additional information and you have to find the way around that login portal to get in there to get to the data and you don't have authorization then you're really not in got a good balance for legality there

yeah you got to the data but and you didn't log into it you just found a bypass to get to so yeah it's a little iffy in there or talking and I will talk on this again later but data breaches lots of data out there and we'll talk about data breaches like I said that people of compromised network some of my systems take all this data dump it out to the web to the places like paste bitten or wherever you and people download all that well it's out there on the web that means it's open now right I can go and grab that your much may vary but fundamentally I would say is if you do not have valid

access to that data normally don't go and download it because you might make a situation hard for you or your company or something like that if you are a like the OPM data breach I came out a couple years back a few other security clearance and you grabbed hold of that and you had access to it you probably lost your security clearance so there's probably not gonna do much more to you but you've then violated a trust relationship there if you get hold of a data set from another company and on your own you got it and you loaded it to your work company now there might be some friction or some legal action between their company and your company

and your company gets involved instead of just you so be careful with this kind of stuff if it's a piece of data that you can access freely without having to bypass any security mechanisms or didn't come from some licit activity something like that you're probably safe looking at it and having and all that but now if you had to like do a direct object reference then bypass some sort of security to get access to the data or it's a data dump or something like that yeah be cautious it's your career it's your likelihood it's all that just be cautious with that and I said I'm not a lawyer and you probably have good in-house lawyers from each of your

company so hit them up and talk to them about that now with that out of the way what is os-- I mean why do we do O's hit get back onto OC and some of that well because it's a useful tool sometimes you're sitting in a situation where the if your pentester company says here here's this external web app see what you can do or external facing systems see what you can do and you come into a completely blind you don't know anything about it well you can start hammering away edit run in map do all kind of stuff and look at it or you can do a little bit of ocean and just try to

pull some information back to help prep you for it maybe it's a login portal and you have no idea what some user names are you try what do you do Oh set to try to gather user names or employee names then you can start use that to feed that into like a password guessing technique or something like that it is it helps software helps a feed into as a catalyst if sort of source other activities down the road or it might be that you're wanting to do a background investigation on a new employee or your private investigator or something in those cases Olsen is very useful in those cases because you can get access to all this

data without having to pay for it in most cases and there are other coerce cases where you might have to pay as a minimal fee some of that but it all depends on what you're going after as we're talk about here but it's mostly because it works so it's the same reason when I do presentations on why do people do social engineering why do people do all these other things it's they do it because it works why do you do OSA because it's going to make your job easier down the road a little bit of effort upfront you can gather a lot of information that probably or most likely will pay out in some way during your pen

test or future work whether it's usernames it's a system type stuff like that we'll go through a few demos a few tools later on where you'll see the kind of data that you set up when you're the kind of data you can gather as I said OSINT is really kind of why do you do the O sin and how do you do the O soon all right it's heavily determined by what are you looking to get out of it if you're just looking to do a yeah there's some user names to throw at it some login portal okay find that sure go you're looking to get user names so you probably want to get the email type or a

sin taxes that first thing got last name or what have you you probably want to get a user employee to listing stuff like that so that helps drive what kind of information you're going after if you want me to do a background investigation on a new employee well you're probably going to go out and either pay somebody or pay mental fees or something like that to see what kind of a criminal history they might have paid service or you might go out to look at their Instagram or their Facebook pages or stuff like that see if they talk what they talk about on there do they have a blog what do they show them there all

this stuff is free open-source stuff in that case so you can start doing that kind of stuff looking at looking up information on people what is your goal then it helps it can vary greatly depending on situation situation but as a pen tester most of time you're looking for actionable data that can help you on an engagement for a pen tester so in that case you're looking for usernames passwords personal details if you're doing like a social engineering exercise maybe locate somebody that goes back into the private investigator or also doing looking at going to open source social engineering exercise if you do a little bit of Osen upfront you'll find out that here's the employee list that I

might want to target there's some phone numbers for it and these individuals are located in New York and these are located in LA so if I want to call them at the or send them an email at the beginning of the day there's a time difference there I have to be aware of stuff like that that you can gather based on where they're located a lot of this information is hosted on sites like LinkedIn stuff like that and we'll look at that in a moment and how and where do you gather OSINT water

there's basically two primary sources of data collection opportunities in oset first of which is internet on the internet you can go out you can do stuff like a search engine searches Google searches being or Yandex and there's other ones that are sort of meta searches like showdown and tools like that all of this will be touching on briefly as we go through social media I've already mentioned LinkedIn and Facebook and Twitter online communities like github and sites like that reddit data sharing and hosting paste be a great source of data out there you also have a SlideShare and gist from github where people post up just little snippets of code and data there if you're going after somebody I had a

company or a company itself their corporate website is a great resource to go look at they have stuff like job listings an employee list and all kind of stuff like that the other option is tools not just browsing the web and looking stuff but going using tools like system tools there's a lot of tools built into the operating system that you can use to help leverage for some information then of course there's a whole suite of pin tester tools out there most of them can be found on Kali you can go search new ones out there they're on github there's all of all over the place there's a couple resources I'll give you at the end of

the slides that tell you where you can go find some of these other tools and capabilities out there and these slides will be hosted up on SlideShare later on as well as well as on my on site I'll give all that information out and then api's a lot of online sites also give you the ability to do a programming interface to it an API that you can either go to the website and type it into the URL sometimes sometimes it allows you to incorporate it into your own tools stuff like that will be touching a little on all these so let's go ahead and jump in to some of the internet stuff and I do

remember those days this is just typed in Internet Explorer and old XP and get into Google and this is what popped up and I had to laugh and I put it in there I remember the days I actually went out to slashdot haven't been there in years now though I replace that with Digg and then I just went away from that altogether and went with Reddit and Twitter and what-have-you but so as I said before you have some of the standard stuff on the internet search engines you have stuff like Google and Bing social media Facebook Twitter Linkedin Instagram the list goes on and on and on snapchat all that kind of stuff online communities github reddit

data sharing talked about that company sites a few of the examples up there search engines can a lot of people think just Google when they think search engines it's not the only one out there it hasn't been the only one out there for ever before it you had a lot of other search engines Mozilla all of them had their own but yeah being you have Yandex Baidu DuckDuckGo is a great one it's sort of a meta search engine that searches other search engines for the stuff and gives you some interesting data it has a few features built in that prevent it from being scraped as easily but it can be done yes

Yeah right correct correct but at the same time most of these like Google or Bing I tend to do it in a sort of a incognito or version like that where it doesn't use my own cookies and all that anyway so but you get around there a little bit but yes tecnico is a pretty awesome site go check it out but it does like some of the nice ascent features that size like google itself has and but also if you're looking up something on a individual or a company that's in another country see what their search engine of choice is on that country is it Yandex is if I do is that whatever go and use that as well

Google is great don't get me wrong I love Google I have a Google phone I have all this stuff but it is not going to be the best in every situation sometimes even Bing will get you different results than Google use a variety of these if you have a lot of tools I'll talk about one later are on the harvester you can tell it to go out and find any data it can on a particular domain and you can tell which search engines to use but if out I'd go with Google but sometimes you can say do them all go out search Google being on that and append all the data together sort it and present it to you

so sometimes those other tools will find you things that Google won't social media Facebook Twitter Instagram LinkedIn people who love to go out onto these sites and share lots and lots and lots of information where have you worked at who do you work with who are your coworkers what's your job title when's your birthday what's your address what state do you live in who's your relatives is it their birthday all this information is out there that people love to share and I don't really understand why in a lot of cases because some of this don't like no one outside of your family should know some of this information and if they're in your family they probably already

know this information so and a lot of these sites also they're getting better as time goes on absolutely but they tend to default on the give more information than is necessary as opposed to beyond the privacy side because they're a social sharing site they like people to share so unless you go in and explicitly turn off the sharing most of these sites are going to give out a lot of data so let's go ahead and jump over and we're going to look at a couple little OSA techniques on some of the stuff we've already talked about there let's jump over here see if I can get my screen showing up here nope not that one give

me a second technology is hard I'm old I don't understand it it confuses me all right where am I here all right let's go and look at some search engine stuff basically let's just go to Google here one of the first things you can always do on Google is let's just pop up oh well this is going search engine there this search for the site command site colon and then a company name or a company domain and it will only return results that have rapid7 comm in this case you can do the same thing or google it there but yeah they should all come back with rapid7 comm as their domain name you could do

the same thing with other ones you could do apple what-have-you now you could do that and then you could say what's a good one I don't know jobs well Apple is probably a bad one to do jobs but yeah just realized I'm like there's going to be a lot of hits on that but still you see like Jobs at Apple stuff like that popular so you start finding this getting into some of the more advanced search techniques inside of Google you can start pulling up instead of documents and all this stuff it's there's a term for this that Johnny long coined years ago it's called Google dorks or Google hacking and at the time he was maintaining this and

after he got out of doing an actual exploitation and talks and all that and he decided to go off to Uganda he gave this over and gave it up and the people over at an exploit DB picked it up and ran with it so let's go to it D be hacking database so they've taken it over and it's still going as you can see there you have May eighteenth there's a new one just thrown in there so you have all this stuff that just keeps coming in here all these different search terms let's scroll up you're like in URL that has to show up in the URL you do cite you can do what's that some other ones down here in the

title you new file types you can do all kind of stuff in here let's jump to let's see here footholds it's a good little one here search see what we got so oh here this top one that looks like a c99 shell fingerprint so let's click on that it tells you about it who uploaded it what's the search let's go ahead and hit the Google search for that and you're not working why not work you just weren't to say gonna go back to Yale Ike demos let's go back over here why are you not working absolutely let's try that one more time and know in my offline maybe let's try this let's go on Google nope I'm still

up there oh well um let's just get rid of that let's try it if this doesn't work we'll try a different one yeah there we go but that's not the one I was looking for oh well let's try a different one here let's go back Snow shells sure see that one yeah there we go any one of these would probably do it so it's no show its no show entitle snows yeah click on one of these and send back send a tech daus yay I don't want to do that but you can see what all you can find in here let's go back to Google hacking database and you can see they have categories in here for footholds

files containing usernames sensitive documents web server detection vulnerable files error messages Network vulnerabilities all kind of stuff you go down here to files containing passwords there's all kinds of stuff you can find in here let's just jump back here aways and see what we have Oh is there anything that looks interesting all right there file type Inc so it's a dot i NC file that and then the name or somewhere else in there it's going to contain MS sequel Connect or MS or my sequel connect and so let's search on that yes I am NOT a robot thank you google for checking and right look at this we have config file and I'm betting there's probably a username and password

stored in there somewhere I'm not going to look for it too deep but you have this kind of stuff you can do with Google Google doric school searching all kind of fun stuff in there let's see what else we have under search engines let's say you're wanting to look at a site but you're thinking well I don't want them to know I won't get their side or I see one Oh version of the site is because maybe they had something sensitive up there that I wanted to see that they've since removed well you have something like Wayback Machine or Internet Archive so let's go to www.beadaholique.com to

[Music]

thousand fifteen so you can see the different versions of this website as it dates back in time maybe they had links in there maybe they had some content on there that they posted up that they don't have anymore this wayback machine doesn't archive every single instance of every webpage but it indexes a quite a few of them and especially ones that people have looked up before it can't tends to look them up more often and index them this is a great resource and you're not even looking at their website right here you're looking at a Wayback Machine right here and their server so there's not even any web logs on their web server that you're looking at their data

it's an older version you do something similar with like Google Translate or Google caches so you look at the current version without actually hitting their website search engines let's here let's go to show it in another one of my favorite sites so yeah you got up here showdown showdown is for those of you who are not familiar think if you took in mouth and you rent in map on the internet and then you took that and threw it into a database and gave it a web front-end so people would search and sort through it for all kind of useful information lots of stuff can happen and here's one example lets you so you can go in here

and search for I don't know a host name : rapid7 let's just search for what show Dan has on rapid7 second alright it comes back with a hundred and fifty hits it shows you there's HTTP telnet HTTP ntp smtp all kind of stuff out there and this is just things that had rapid7 in the name somewhere in there so but you can go a different route on this if you don't want to search like that go to explore give it a second here and then here's just some canned searches that they've had in their featured categories Internet control systems who wants to look up some SCADA systems or databases or video games or webcams or Wow three

of those in our webcams Cam's neck you people really love to look at cameras default passwords dream box how can you go to more popular searches all this stuff is just down through here you can find all kind of amazing stuff in here yeah some interesting stuff in there I'll just put it at that so let's click on ask 801 here real quick SCADA systems there anything shown up in there why yes there is there's something in Romania so than in Spain all these have SCADA in the name somewhere all that you can use this when you find one you like you and click on it it dives into that one a little bit I mean this is all right oh I

didn't mean to go to the actual site okay I fought on that let's just click that should have went different other details so you can click on the details gives you some information in Spain it's on Vodafone it has 22 and 80 open here's the the banner that comes back so you use this to start profiling systems looking like that you can search on IPs you can search for coming strings you can search for domain names and help target some of your searches in there amazing stuff like I said if the company says oh yeah do some recon you're the you're the hacker you tell me what my internet presence is you can go to a

site like this and say okay search for anything that had rapid7 comm in the name or something like and you'll find IP addresses in there bunch of systems you take those you go to service like who is and look up a reverse on the IP to see who owns that and what blog is associated with and then you can start scanning through that list identify additional systems this is just one stepping stone in the process but it is a catalyst that helps feed into other processes the better you can get with the oesn't the better the longer run everything else is ok we did that let's look at some social media so here's one of the sites are heavily recommend and

we'll be touching on this multiple times it's Intel techniques and it's done by Michael basil the guy who provided the quote at the beginning there are a couple of sites out there and we'll talk about them but this one I here you can go to tools then you can go down here like Facebook and let me see if I can zoom in on that a little bit so yeah so you have all kind of fun stuff in here and yeah you can go put in like their name view and search for places they visited all kind of stuff in there but the one I'm looking at let's look up Adrian dog Adrian got Sinatra I think

that's who it is and let's take that copy that and put it down here and go populate all of them and then all of these are searches into Facebook for us some of this so let's go down to photos by the user and while there we go we have his photos up there ok that's nice you might be able to pull some useful information out of there let's go down here to apps used if you might be tacking his phone we're sending him an email I seized his Vimeo buffer MailChimp medium so you might target them with some sort of social engineering exercise that's saying that that account has been hacked and he needs to reset his password

something like that this is information that is possibly actionable now because you've pulled this out of something that he uses let's go to events down here future events pints for a purpose bike elf you know somewhere he's gonna be at and this is May 24th at 5:00 p.m. maybe he's gonna be there maybe you can social in social engineering in person there maybe he had has access to some website or some company that you need access to maybe he'll be carrying his badge with him that you can clone and then go back to the business who knows these are the kind of things that you might want to look at this involves a little bit of

in-person activities here but yeah you got all kinds of you have stuff like a employers well who has he worked for he's worked for Clayton Homes for 51 research the right care sword and shield you can get all time please all this you can get all kind of information out of here amazing lower techniques in here so let's close some of this out don't need to look him up right now so let's go up here a little get Twitter same sort of stuff Twitter name swab ah that's Adrienne's Twitter name by the way if you didn't know populate ah let's look at his life twit page or Twitter page okay there we go so you got that what else is that are

done through here let's look at first tweet tweets by the year of anything good in here profile details sure this is going out to another site called faller but it's based on his Twitter activity what do we get when this comes up alright his name when did he join it would tell you his location if he typed in a valid location how many tweets followers popular hashtags he uses a bunch of people who have mentioned him maybe it's alright he's and all of these yeah and now it's all kind of information on him that you're helping to build a profile of this individual we had photos of him we had information about him his employers we

had all this stuff from Facebook now we can look up on here and see who he's talking to here what kind of Pompey is he talking about what's the hashtags he's using so you're building a better profile of this individual whether it's to attack them directly you're just using it for other social engineering exercises maybe you're gonna be doing like a Welling an exercise against them and the more information you know about him the better who knows but you have all this kind of capabilities at your disposal here and in here you do other stuff too let's go down to like username well let's go to Instagram he has something on Instagram I think I don't

remember what his Instagram email account is but either way what's that yeah now he's not in here I got his permission beforehand by the way I'm wearing his picture but now he's a good guy he really is don't let him know I said that but yeah so so that's a little bit of showing how you can do some of these kind of techniques in there let's jump back over to oh stop mirroring there we go go away now go back over to slides yes all right then once you're done with that then you have your online communities github reddit 4chan any site that people would like to have other community it's not really like a social media site but it's

a social site where people go and present themselves out there there's this list can go on and on and on eBay is a great one you go in there and look for a company that is selling stuff on eBay what are they selling off what kind of hardware are they selling on okay well that's a lot shorter than I thought it was okay I thought it went through 50 instead of 45 my fault sorry about that so yeah you have a what kind of stuff are they selling off stuff like that you can use that maybe you can buy it maybe you can dump some credentials off of some configs off of it who knows

all this stuff is out there for you to use data sharing sites I'm gonna skip the demos until we get to the end so I can do them all at once for everybody but uh because kind of running out of time but data sharing you have sites like paste bin or Scribd if you're throwing up some or SlideShare be showing some slides up there github will skip over this for right now you've got some corporate sites out there jobs I'm just mentioned this one right now if you go out there and look at a site that says yeah we're we have a job opening for this position stuff like that well you know they use that kind of

technology you know they have a need for something maybe you can make use of that in some of your exercises at least you know the kind of technology so you can tailor your tags to that technology or they're wanting to use it maybe if you're doing social engineering maybe you can apply for the job and get an interview you get on-site then your on-site you turn it into a physical engage when you go and do stuff they're all kind of capabilities there the Contact Us page sometimes there'll be an employee list on their contact phone numbers email addresses lots of awesome actionable items on their command line tools yeah I can use command I such a

hacker in here you have tools system tools pen tester tools API so as I mentioned before system tools some of the common ones you'll find dig is a good one or house or in ass lookup or any of the DNS based tools that you like to use you get in query IPS to get host names and it's vice versa you can do all kind of other techniques with it there's not just Ford and reverse lookups for IPS and host names you can also get text records you can get H info records you can get all kind of information there I've seen some places actually stored who owns particular systems in the like text records and stuff as well as

default credentials stuff like that that's been on internal to a network but you still can use these techniques internally traceroute is it behind a heavy hops away is it what network is it on stuff like that some pentester tools lots and lots of pentester tools out there this is just a sampling of some of the ones I make youssef harvester is a good one you can go out there and it can pull down user names and email addresses and websites and oh yeah domain names all that sub Lister's similar technique fears similar bunch of these are like that eyewitness can go out and do these screenshots of various web sites VNC services are remote desktops lots more

data gathering open source folk meta good feel are great in that they they go ahead and get the metadata of files when you save a file and publish it out there whether it's a word document a PDF and JPEG whatever it is there's metadata stored in there sometimes it's just the geolocation of where that picture was taken if it's a PDF what application was this created on whose computer was it created on was it skinning by a printer well lots and lots of actionable data in there stuff that can be used later on down the road for other types of attacks you can gather user names and user name formats employee names system naming conventions stuff like that all kind of

much stuff just skip over this end we got another demo coming up right after this API is there's a lot of sites out there have I been poned hunter i/o hacked emails people or people depending on how you want to pronounce that that allow you this kind of interface so let's go ahead and jump over I'll go through the host slides and then I'll come back to it in case people have questions you have other combination tools like I showed before intel techniques is one oh it Alex sent framework it's another great one as well recon Eng multigo are sort of these massive tools that incorporate a lot of these techniques into them that help you

click your way through doing a sort of ascent investigations lots of techniques lots of capabilities great tools Stephan to go out do it Marty go has a free version it also has a paid version recon Eng is free both of these are free lots of services out there people final this is where I was gonna show my demo sorry it's not ready yet some resources out there you got those up there questions I'll come back to this I'm going to jump over to some slides or over to the my other system real quick wow this is just finishing up here and demo a few things but once I'm done up here I'll publish out all the slides and the next hour

probably I'll put them out on my github I'll put them out on SlideShare or something like that and I'll send out a link to it on a Twitter and besides Knoxville just follow that you'll see the link I also post it out on mine which is Titanus so you will see everything either just follow it you'll find it out there so let's close that out why is that not going away there okay jump down here let's jump over to here alright so yeah let's look down here so running the harvesters one I mentioned I'm just doing it on rapid7 here telling it to go out search for epidemic calm find 500 hits you're just using Google to do the searching here

let me come back it's coming down on 0 1 2 3 fund a bunch of these and if there you see some email addresses coming back see Jane Doe abuse Hector a length I'm Bert rating those names clarity which is somebody I actually work with a bunch of email addresses coming through there you can find possible target email addresses for phishing exercises you can use it for funny email formats like is it first name dot last name first initial last in it last name so for that rapid seven appears to use a wide variety of different ones so that's probably not a good example they're a bunch of DNS names that register to represent unlike

u P and P - check scanner sonar blog bunch of different ones on there great resource there let's clear this what is that one so using dig simple one you can do again rapid if not calm I just said dig any it so any type of file record coming back and here you can see there's text records containing some information that might be there's an SPF one record so that's for email you have some NS records there's your name servers you have MX records for mail servers so you know who their mail servers and name servers are for targeting that if you wish some a record it's down here if you want to target those if they allow zone

transfers that's great good luck finding that you're not gonna find that basically unless you internal to a network now but that's just a standard tour there I'm blazing through this I acknowledge that here's a good one let me jump back over here if you happen if you happen to have some of the data leaks that are out there and people are people have them but you can go do it but let's look at where's that one at let's look up data leaks for atom Compton here and this is one where somebody's actually downloaded the data leaks with clear text passwords and all that so let's look at me Adam Compton this is the stock export

the leak it came from exploit dot n last step M Adobe LinkedIn and the clear takes password that was leaked with it don't worry have changed all those not a problem I hope but then you can do it for companies as well let's look at uh I don't know let's not do rapid seven yeah sure it's out there everybody knows it so let's go with it here's a bunch of these coming out as well here again you have user names nothing else you can get user names this way of targets absolutely these are gonna be not corporate passwords but their passwords that these users have used they might tend to use a variant of that on their

corporate password you don't know this all right just let me know when I'm done and I'll be let's see here where's another let's jump over here to this again jump o sent data sharing that's not the one I wanted but that it would do too so on Twitter there's all these accounts out there like check my dump and stuff like that so you just browse out yeah I know it sounds funny but they come paste bin and paste bin like sites for data dumps again username password lots of stuff out there you monitor this stuff search for paste bin for your target company name or email addresses be amazed at the kind of stuff that comes

back give me money I didn't say that okay let's see here have I been poned just a side out here let's jump up here to this is one of API ones but like have I been poned another way to do this is like atom doc Compton at gmail.com my repet 71 doesn't show up anything that's why I'm not doing yet but this one does you can see here oh now I've been pound in Adobe in bitly and Dropbox and so all these you can see the kind of places so if you're so inclined to go and download one of these dumps and data breaches you might be able to find my password in one of those that's a way just search for

that is there another good one in there I want to throw in there here let's do this one hunter I owe hunter I owe is a great one let's see if I can pull that out Nate you in T dot IO and then I'll be done all right after this I'll throw my final slide back up there so everybody can see the contact but I just searched for rapid7 calm and here's all the contact information like usernames where it was pulled from just their name first name last name all this is amazing information that's just out there and this is a free api hunter io you type in the company name right here let's go

with Apple comm see what comes up boom lots and lots and lots down through there doesn't tell you how many but oh yeah 3141 you're gonna export that in CSV all these resources are at your disposal out there on the internet let me go ahead and throw the final slide back up there yeah that'll work right there you can contact me at any of this you can reach out to me I'll be happy to answer any questions my time is up I need to get out of here but yes I'm coping

awesome framework comm it's in the slide this slides will be up in a few minutes on Twitter on bunch of sites you can go there to look at it Intel techniques that come is a good one Osen framework comm is a good one yeah so it is I love it it's a great site didn't get a chance to demo it here ran a little long sorry about that and thank you all so much have a great day and please reach out to me if you have any questions [Applause] first time I've done these slides I've had no idea how long it was gonna take